Transparent Reverse Proxy with relayd

Fri, 07 Nov 2008 13:41:28 -0800

I'm attempting to setup a reverse proxy using relayd using the transparent forward to configuration (non-transparent works fine) under OpenBSD 4.4. 

My configuration is as follows:

===============================

#
# Macros
#
relayd_addr="127.0.0.1"
elrond="10.10.19.4"
celebrian="10.10.19.5"

#
# Global Options
#
interval 10
timeout 200
prefork 10
log updates

#
# Each table will be mapped to a pf table.
#
table <pop3_servers> { $elrond $celebrian }

protocol "tcp_service" {
        tcp { nodelay, socket buffer 65536 }
}

relay maildelivery {
        listen on $relayd_addr port 2525
        protocol "tcp_service"
transparent forward to <pop3_servers> port smtp check tcp interface bnx1 
}

===============================

Related PF configuration is:

===============================

ext_if="bnx0"
elrond = "10.10.19.4"
netguard = "66.159.122.2"

pop3_servers = "{"  $elrond "}"
rdr on $ext_if proto tcp from $netguard to 66.159.112.123 port smtp -> lo0 port 2525 

pass in proto tcp from $netguard to $pop3_servers port smtp
pass in proto tcp from $netguard to lo0 port 2525

===============================
I'm unsure if I'm using the correct interface in the transparent forward to line as it's not clear in the man page that an interface is even required (though if left out it says missing interface). 

When started, forwarding looks correct, but times out immediately:
relay maildelivery, session 4 (1 active), 0, 66.159.122.2 -> 10.10.19.4:25, connect timeout relay maildelivery, session 5 (1 active), 0, 66.159.122.2 -> 10.10.19.4:25, connect timeout relay maildelivery, session 6 (1 active), 0, 66.159.122.2 -> 10.10.19.4:25, connect timeout relay maildelivery, session 7 (1 active), 0, 66.159.122.2 -> 10.10.19.4:25, connect timeout
If I monitor the interface on 10.10.19.4 as well as the outbound interface on the firewall I can see the request go out to 10.10.19.4, and the response from 10.10.19.4 return, but it still times out immediately.
I'm sure I'm just missing something in my configuration, if anyone can point me in the correct direction, I'd be much obliged. 

Thank you.

--
Regards,

Derek Buttineau
Internet Systems Developer
Compu-SOLVE Internet Services
Compu-SOLVE Technologies, Inc

Phone:  705-725-1212 x255
E-Mail:  [EMAIL PROTECTED]

Reply via email to